The transmission of data over a data network typically involves sending messages between application programs (“applications”) executing on host processors connected to the data network. In a packet network such as the Internet a host processor encapsulates data from an application into data packets (e.g., frames) to send the data over the packet network. When a host processor receives the data packet from the packet network, the host processor unencapsulates the packets to obtain the data. The host processor then provides the data to the appropriate application.
The process of encapsulating data into a packet involves adding information such as source and destination addresses to the data to facilitate transmission of the data over the packet network. Conventionally, the encapsulation process follows a particular packet data protocol. A typical protocol defines the structure of a packet such as the location of the source address and the destination address in the packet. A protocol also may define procedures for routing the packet over the network using those addresses. For example, the components in a data network may use the destination address to determine where to send the packet. The recipient application may use the source address to determine which application sent the packet.
Common protocols used in conjunction with the Internet include Internet protocol (“IP”), transmission control protocol (“TCP”), user datagram protocol (“UDP”) and Internet control message protocol (“ICMP”). In general, IP relates to controlling data transfer between host processors, TCP relates to establishing sessions to transfer data between applications, UDP provides a faster but less reliable data transfer mechanism than TCP, and ICMP relates to error messages and network traffic statistics.
Data transmitted over public networks such as the Internet may be encrypted to prevent unauthorized parties from intercepting the data. Typically, a device connected to the network encrypts data using a cipher algorithm and an encryption key. The device sends the encrypted data over the network to another device that decrypts the data using the cipher algorithm and a decryption key.
Several standards have been developed to facilitate secure data transmission over data networks. For example, the Internet security protocol (“IPsec”) may be used to establish secure host-to-host pipes and virtual private networks over the Internet. IPsec defines a set of specifications for cryptographic encryption and authentication. IPsec also supports several algorithms for key exchange, including an Internet Key Exchange (“IKE”) algorithm for establishing keys for secure sessions established between applications.
Some systems include dedicated devices that offload some of the processing operations from the host processor. For example, a network processor may be used to perform some of the packet processing operations. A cryptographic accelerator may be used to perform the cipher algorithms to offload encryption/decryption/authentication processing from the host processor.
In a typical system, the primary data flow is from the host processor to the network processor then to the network, and vice-versa. In addition, the host processor or network processor routes packets that will be encrypted or decrypted to the cryptographic accelerator. The cryptographic accelerator then routes the encrypted or decrypted packets back to the host processor or network processor. In personal computer-based systems, the host processor, network processor and cryptographic accelerator typically are connected via a peripheral component interface (“PCI”) bus.
Conventional PCI-resident cryptographic engines (e.g., cryptographic accelerators or processors) have several disadvantages. For example, the data may be subject to additional round trips over the host bus. That is, the data may be routed over the PCI bus several times to pass the data to various components that process the data. In addition, the use of an independent device for the cryptographic engine adds a relatively significant cost to the host system. Furthermore, it may be relatively difficult to implement such a system in tandem with a TCP offload engine (or a Layer 5 device) because IPsec is a Layer 3.5 process that, in effect, would sit in the midst of the TCP offload engine (“TOE”).
Also, integration of the cryptographic engine into an Ethernet controller may add significant cost to the Ethernet controller. Given that the extent of the market's adoption of cryptography may be significantly less than the market's adoption of Ethernet controllers, such integration may not be economically justifiable.
Coupled with the need to improve the operating speed and lower the cost of conventional cryptographic technology in general, there is a need to provide cryptographic processing to support faster data transfers defined by various data communication standards. In an attempt to address the perpetual need for faster data communications, various groups are continuously developing standards that specify high-speed data transfers between components of data communication systems. For example, IEEE standards 802.3ab and 802.3z define Ethernet systems for transferring data at rates up to one gigabit per second (1 Gbit/s). IEEE standard 802.3ae defines an Ethernet system for transferring data at rates up to 10 Gbits/s.
The development of these standards and the ever increasing need for faster data transfers create a need for techniques and circuits capable of achieving high data transfer rates in a secure environment. Moreover, there is an ever-present economic motivation to achieve such results in a cost effective and adaptable manner. Accordingly, a need exists for improved data security processing techniques to support data transmission over data networks.